Bug 1946269 (CVE-2021-29421) - CVE-2021-29421 pikepdf: XML external entity issue when parsing XMP metadata entries
Summary: CVE-2021-29421 pikepdf: XML external entity issue when parsing XMP metadata e...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2021-29421
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 1945364 (view as bug list)
Depends On: 1946270 1946708
Blocks: 1946271
TreeView+ depends on / blocked
 
Reported: 2021-04-05 16:01 UTC by Pedro Sampaio
Modified: 2021-11-02 23:26 UTC (History)
4 users (show)

Fixed In Version: pikepdf 2.10.0
Doc Type: If docs needed, set a value
Doc Text:
There's a flaw in the pikepdf Python library's XMP metadata parsing functionality. An attacker who is able to submit a crafted PDF file to be processed by pikepdf could trigger an XML External Entity (XXE) injection. The highest threat of this flaw is to confidentiality of data.
Clone Of:
Environment:
Last Closed: 2021-11-02 23:26:55 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2021-04-05 16:01:51 UTC 
models/metadata.py in the pikepdf package 1.3.0 through 2.9.2 for Python allows XXE when parsing XMP metadata entries.

Upstream patch:

https://github.com/pikepdf/pikepdf/commit/3f38f73218e5e782fe411ccbb3b44a793c0b343a
Comment 1 Pedro Sampaio 2021-04-05 16:02:13 UTC 
Created python-pikepdf tracking bugs for this issue:

Affects: fedora-all [bug 1946270]
Comment 2 Todd Cullum 2021-04-06 17:16:11 UTC 
*** Bug 1945364 has been marked as a duplicate of this bug. ***
Comment 4 Todd Cullum 2021-04-06 17:29:13 UTC 
Statement:

This flaw does not affect any Red Hat shipped commercial products, as pikepdf is not currently shipped.
Comment 5 Todd Cullum 2021-04-06 17:29:15 UTC 
External References:

https://github.com/pikepdf/pikepdf/blob/master/docs/release_notes.rst
Note You need to log in before you can comment on or make changes to this bug.